<html>
<head><meta charset="utf-8"><title>validity of str / &amp;str · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html">validity of str / &amp;str</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="148326520"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326520" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326520">(Nov 25 2018 at 17:50)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> I don't think a &amp;str to a non-UTF8 is undefined behavior - why would you say that ?</p>



<a name="148326582"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326582" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326582">(Nov 25 2018 at 17:53)</a>:</h4>
<p>some operations on &amp;str might be undefined behavior if it does not point to an UTF8 string, but others are definitely not (e.g. <code>str.len()</code> )</p>



<a name="148326631"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326631" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326631">(Nov 25 2018 at 17:54)</a>:</h4>
<p>i see <code>str</code> as just another custom DSTs that we have, and as a custom DST it can impose arbitrary preconditions on how it is supposed to be constructed, its methods, etc.</p>



<a name="148326682"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326682" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326682">(Nov 25 2018 at 17:56)</a>:</h4>
<p>the only way in which I think that constructing a <code>&amp;str</code> that points to an UTF8 string could be undefined behavior is if you want to have a model in which, if you have an object of a type T, then all its safe methods _must_ be safe to call, therefore, T must be valid</p>



<a name="148326686"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326686" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326686">(Nov 25 2018 at 17:57)</a>:</h4>
<p>under that model, creating a string to point to a non-UTF8 string would be undefined behavior, but I wonder, how could we catch that in miri?</p>



<a name="148326729"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326729" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326729">(Nov 25 2018 at 17:58)</a>:</h4>
<p>we could hardcode how to catch that for <code>&amp;str</code>, but thinking of <code>&amp;my_custom_dst</code> with arbitrary validity invariants...</p>



<a name="148326955"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326955" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326955">(Nov 25 2018 at 18:07)</a>:</h4>
<blockquote>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> I don't think a &amp;str to a non-UTF8 is undefined behavior - why would you say that ?</p>
</blockquote>
<p>that was just me interpreting what I heard people say</p>



<a name="148326959"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148326959" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148326959">(Nov 25 2018 at 18:07)</a>:</h4>
<p>I am perfectly fine with it not being UB :D miri encodes it as UB currently, but since there is no validation behind references, that doesn't mean much</p>



<a name="148327006"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148327006" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148327006">(Nov 25 2018 at 18:08)</a>:</h4>
<blockquote>
<p>i see <code>str</code> as just another custom DSTs that we have, and as a custom DST it can impose arbitrary preconditions on how it is supposed to be constructed, its methods, etc.</p>
</blockquote>
<p>ack. that works fine as long as rustc does not exploit this during compilation -- which it could, because <code>ty::Str</code> is a thing it can recognize.</p>



<a name="148329362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148329362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148329362">(Nov 25 2018 at 19:27)</a>:</h4>
<p>we could do &amp;str-specific optimizations, but if we aren't doing them right now I'd rather try to keep all DSTs as simple as possible</p>



<a name="148329536"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148329536" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148329536">(Nov 25 2018 at 19:32)</a>:</h4>
<p>ideally <code>&amp;str</code> would just be something defined in the core library once we have custom DSTs as a thin wrapper over <code>[u8]</code></p>



<a name="148329648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148329648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Matthew Jasper <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148329648">(Nov 25 2018 at 19:36)</a>:</h4>
<p>It's a language type due to literals, not lack of dst support.</p>



<a name="148331293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148331293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148331293">(Nov 25 2018 at 20:25)</a>:</h4>
<p>some archeology: <a href="https://github.com/rust-lang/rust/pull/19612" target="_blank" title="https://github.com/rust-lang/rust/pull/19612">https://github.com/rust-lang/rust/pull/19612</a></p>



<a name="148355898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148355898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148355898">(Nov 26 2018 at 09:20)</a>:</h4>
<p>It might be possible to not make it a language type while still keeping literal support for it (not necessarily via user-defined literals, but some rustc hook for that)</p>



<a name="148798179"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798179" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798179">(Nov 29 2018 at 16:24)</a>:</h4>
<p>the key thing here is that there are safe methods on <code>&amp;str</code> that require utf-8 representation (or have been in the past). So while it would at minimum be part of the "safety invariant" for <code>str</code>, I think?</p>



<a name="148798212"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798212" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798212">(Nov 29 2018 at 16:25)</a>:</h4>
<p>yes, that would be party of safety</p>



<a name="148798232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798232">(Nov 29 2018 at 16:25)</a>:</h4>
<p>but that's something that the API of <code>&amp;str</code> can specify however it wants</p>



<a name="148798243"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798243" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798243">(Nov 29 2018 at 16:25)</a>:</h4>
<p>it wouldn't really need to be spelled out in the UCG</p>



<a name="148798244"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798244" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798244">(Nov 29 2018 at 16:25)</a>:</h4>
<p>yes, it's certainly part of safety</p>



<a name="148798293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798293">(Nov 29 2018 at 16:26)</a>:</h4>
<p>but if the compiler wants to exploit it in any way for optimizations or layout, it must be more than that</p>



<a name="148798347"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798347" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798347">(Nov 29 2018 at 16:27)</a>:</h4>
<blockquote>
<p>it wouldn't really need to be spelled out in the UCG</p>
</blockquote>
<p>this is not clear to me, but it's more a question of "scope" of UCG I guess. I think that fundamental types like str (which is a lang item, even) seems to be worth documenting outside of rustdoc, but it's a long term thing.</p>



<a name="148798460"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798460" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798460">(Nov 29 2018 at 16:29)</a>:</h4>
<p>Ah yes, I didn't mean to suggest that the API of <code>&amp;str</code> shouldn't be safe, but rather that this work would be similar to making sure that <code>Vec</code> is safe. We could tackle these types here, but probably at this point it might be better to specify things such that the safety of these types, which is already documented, doesn't break.</p>



<a name="148798543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity%20of%20str%20/%20%26str/near/148798543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/validity.20of.20str.20.2F.20.26str.html#148798543">(Nov 29 2018 at 16:30)</a>:</h4>
<p>yep</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>